Security is one of the most important things to consider when you are online. The more your online communications are secured with encryption, the better. Data encryption has slowed down computing speeds in the past, which has improved with modern CPUs. But we can do more. OpenVPN has just introduced a new development that will increase the speed for its users by running out of the kernel space: OpenVPN Data Channel Offload (DCO).
What is Kernel Space?
The kernel is what loads when you turn on your computer (no matter the operating system). It's the base layer for all the other layers. The hardware makes up the foundation, the kernel space on top of that, followed by the user space. At the very top are the programs you use. The higher up in a layer, the further away you are from the hardware and the slower your program runs. So when you think about encrypting data it can be a challenge. Exchanging data between these two layers costs processing power, which introduces a bottleneck for OpenVPN speed.
For a user-space VPN, like OpenVPN, encryption overhead and context switches limit speeds. With modern CPUs, the encryption overhead has improved through extensions like Intel AES-NI, which in turn improves speeds for OpenVPN users. But the overhead with context switches still needs addressing. As personal and business internet speeds increase and applications use more bandwidth, users expect fast speeds with online communications. Thus, the impact of this overhead has become more noticeable.
Turning conventional wisdom on its head: OpenVPN DCO
We now have OpenVPN Data Channel Offload, or ovpn-dco. OpenVPN DCO implements the Linux kernel module which handles the OpenVPN data channel. OpenVPN no longer sends data traffic between the user and kernel space for routing and encryption/decryption. Operations on payloads take place in the Linux kernel optimizing performance. This cuts out the latency and cost of the payload transfer between user and kernel space.
On top of that, the encryption is now multi-threaded. Multi-threading is the process of splitting up tasks or jobs into smaller units and assigning them to different CPUs. What does that mean for the end user? Data transfer happens much faster.
James Yonan, CTO of OpenVPN talks about the importance of offloading, “Offloading is really the holy grail of both security and performance because it allows us to embrace industry standard protocols such as SSL/TLS, but by offloading the packet processing to kernel space or hardware, we can push performance to the limits of wire speed.”
The OpenVPN DCO incorporates the entire OpenVPN data channel into the kernel module while keeping the control channel outside the kernel, continuing to use the standard SSL/TLS protocols, including support for TLS 1.3 features.
Testing the Speed
To give you an idea of the speed improvement, here are test results with OpenVPN 2.6 dco development version in three different configurations:
Performance numbers below are iperf3 test results conducted on an AMD ThreadRipper 3970x system running Hyper-V as the hypervisor with Linux and Windows guests. Cipher algorithm used is AES-256-GCM.
OpenVPN DCO Availability
OpenVPN Cloud, our next-gen VPN has already launched DCO in production, where we are seeing order-of-magnitude performance gains on the server side and expect to see similar gains in the client when ovpn-dco becomes widespread on the client side.
This development is incredibly exciting, because eliminating this notorious bottleneck is not some lofty long-term future goal — it's already happening.
- OpenVPN3 Linux client is available as beta.
- ovpn-dco-win is currently available as a tech preview and will officially be available as part of the 2.6 release in Q4 2021.
- Linux OpenVPN server coupled with the DCO module achieves truly impressive speeds. Tech preview is out with developers working on the broad release right now.
OpenVPN Inc. believes in open source, and backs this fully. The developers working on OpenVPN3 and OpenVPN Cloud will take these impressive new capabilities and give them back to the community. We will be releasing OpenVPN 2.6.0 in Q4 of this year, with DCO support included. As long as you’re using an OpenVPN 2.6 development build, you’ll be able to enjoy a vast improvement in data transfer speed when you install the open source DCO module on Windows or Linux platforms. We will also be incorporating the DCO module for Windows into OpenVPN Connect v3 in a future release; this way, all Windows users can benefit from this increased speed. OpenVPN Access Server will also benefit from the DCO module for Linux, when we introduce this feature in a future release of OpenVPN Access Server.